772f87511e89cdf3d1f80a79eeef6ad15b0c03b9d5b06f961ac73b3b3cfe311f

Analysis

max time kernel
90s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2022 20:56

Target

LW18.iso
Size

970KB
MD5

4b7e51ded159f5554aea40bc701fbc59
SHA1

3a82b56219b4cdf36125313c3d89a6c9497525a1
SHA256

772f87511e89cdf3d1f80a79eeef6ad15b0c03b9d5b06f961ac73b3b3cfe311f
SHA512

13f13d2c45920cc3549820cbc1c2f8eab9884a947f6e03e7facb569d638a0ce40b10d98d1f591c7997c0e67fb6f25878234242391b0116a95f8f2ae8cf640a8a
SSDEEP

12288:woEKwnONVvoo6F+DfZxL4+Dir8lkQ5z4hbzmKFX4GfOs5VBNYRbWAUWWvoYPiwBP:woEKw9o6F+DRt4Tr8lkBhfp2QOU

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 1896 cmd.exe
Token: SeManageVolumePrivilege 1896 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	1896	cmd.exe
Token: SeManageVolumePrivilege	1896	cmd.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact